Bug 1387509

Hi Bhavana...per feedback from Luis:
This will mostly be handled by dynamic provisioning.  Humble is your main contact.  Once a group id has been set for the volume, then the instructions on Section 19.3.4.1 in [1] can be followed to setup the application.

[1] https://access.redhat.com/documentation/en/openshift-container-platform/3.3/paged/installation-and-configuration/chapter-19-configuring-persistent-storage#install-config-persistent-storage-persistent-storage-glusterfs

Also, please include Erin Boyd in any review of the content. Thanks.

Hi Humble,

Following is the updated link shared by Anjana:

https://access.redhat.com/documentation/en/openshift-container-platform/3.3/single/installation-and-configuration/#complete-example-using-gusterfs-defining-glusterfs-volume-access

Let me know if I can use it in the guide.

(In reply to Bhavana from comment #8)
> Hi Humble,
> 
> Following is the updated link shared by Anjana:
> 
> https://access.redhat.com/documentation/en/openshift-container-platform/3.3/
> single/installation-and-configuration/#complete-example-using-gusterfs-
> defining-glusterfs-volume-access
> 
> Let me know if I can use it in the guide.

LGTM.

Hi Humble,

Here is the updated link with the details regarding volume security for statically provisioned volumes:

http://ccs-jenkins.gsslab.brq.redhat.com:8080/job/doc-Red_Hat_Gluster_Storage-3.4-Container_Native_Storage_with_OpenShift_Platform-branch-dynamic_provisioning_volume_security/lastSuccessfulBuild/artifact/tmp/en-US/html-single/index.html#idm140189474689728

I would like to understand if we are going ahead with "Volume Security for Dynamically Provisioned Volumes" or not.

Based on that I can either move the bug on_qa or wait for more details wrt dynamically provisioned volumes.

Thanks.

(In reply to Bhavana from comment #10)
> Hi Humble,
> 
> Here is the updated link with the details regarding volume security for
> statically provisioned volumes:
> 
> http://ccs-jenkins.gsslab.brq.redhat.com:8080/job/doc-
> Red_Hat_Gluster_Storage-3.4-Container_Native_Storage_with_OpenShift_Platform-
> branch-dynamic_provisioning_volume_security/lastSuccessfulBuild/artifact/tmp/
> en-US/html-single/index.html#idm140189474689728
> 
> I would like to understand if we are going ahead with "Volume Security for
> Dynamically Provisioned Volumes" or not.
> 
> Based on that I can either move the bug on_qa or wait for more details wrt
> dynamically provisioned volumes.
> 
> Thanks.

We will have this feature in CNS 3.4. Lets work on the documentation.

(In reply to Humble Chirammal from comment #11)
> (In reply to Bhavana from comment #10)
> > Hi Humble,
> > 
> > Here is the updated link with the details regarding volume security for
> > statically provisioned volumes:
> > 
> > http://ccs-jenkins.gsslab.brq.redhat.com:8080/job/doc-
> > Red_Hat_Gluster_Storage-3.4-Container_Native_Storage_with_OpenShift_Platform-
> > branch-dynamic_provisioning_volume_security/lastSuccessfulBuild/artifact/tmp/
> > en-US/html-single/index.html#idm140189474689728
> > 
> > I would like to understand if we are going ahead with "Volume Security for
> > Dynamically Provisioned Volumes" or not.
> > 
> > Based on that I can either move the bug on_qa or wait for more details wrt
> > dynamically provisioned volumes.
> > 
> > Thanks.
> 
> We will have this feature in CNS 3.4. Lets work on the documentation.

Sure Humble,

Can you please share the steps to set up Volume Security for Dynamically Provisioned Volumes

Thanks

The dynamic provisioner introduced 2 more new parameters called gidMin and gidMax which allows the admin to configure GID range for the storage class.

For ex:

gidMin: "2000"
gidMax: "4000"

If mentioned, the dynamic provisioner will allocate a GID from this range. While deleting the claim, the GID will be released from it. 


Using gluster dynamic provisioner create a  PVC ,  for ex: claim1

Once the PV Is bound, attach the PVC to the pod , this pod has to be spawned in non privilged mode.

Then go to gluster pvc mount point in the pod.

Start writing to the volume.

Expected result :  The write from the pod should work without issues.

Validate the mount permissions, it will be "775" on this mount point.

The GID is internally created and passed to the POD as supplemental Group ID.

Please feel free to ping if you need any more details on this.

Hi Humble,

Based on comment 13 I have the following queries. I am not sure if all of these are valid, but you can be the judge of that :)

1) If the admin has to configure GID range for the storage class, should this be added in the storage class file? If yes can you please provide a sample storage class file with the GID details added.

2) Is the PVC file same as the one that was added in section 5.2.1.3. Creating a Persistent Volume Claim, or are there changes to it and should that be included in the flow of steps.

3) Based on your comment "Once the PV Is bound, attach the PVC to the pod , this pod has to be spawned in non privilged mode." Is this pod file same as the step 1, in 5.2.1.5. Using the Claim in a Pod, or will there be changes here wrt to the GIDs

4) I need the steps for the following too:

Then go to gluster pvc mount point in the pod.

Start writing to the volume 

Are these the steps one performs after verifying that the PV is mounted in the container ? ( oc rsh busybox)



Link for reference: http://ccs-jenkins.gsslab.brq.redhat.com:8080/job/doc-Red_Hat_Gluster_Storage-3.4-Container_Native_Storage_with_OpenShift_Platform-branch-master/lastSuccessfulBuild/artifact/tmp/en-US/html-single/index.html

Bhavna, Can you please directly point to the doc where I can edit ?

Hi Humble,

Following is the link to the google doc, where I have added the same queries so that it is easier to refer:

https://docs.google.com/a/redhat.com/document/d/1ezbk2vVRG7WvVH0qvYqNceX5wOckhTYnbfOXmz0WyJs/edit?usp=sharing

You can add the details here.

Bhavana, clearing needinfo based on our f2f discussion.

Hi Humble,

Based on my meeting with you and Ashiq, I have added the details regarding volume security for dynamically provisioned volumes under section 5.3:

http://ccs-jenkins.gsslab.brq.redhat.com:8080/job/doc-Red_Hat_Gluster_Storage-3.4-Container_Native_Storage_with_OpenShift_Platform-branch-master/lastSuccessfulBuild/artifact/tmp/en-US/html-single/index.html#idm140149139570160

Let me know if you have any further comments or does this looks ok. Based on which I shall move this bug on_qa


Thanks

Bhavana, we also need to mention when deleting the claim, the GID of the PV is released from the pool.

Hi Humble,

I have added the details suggested:

http://ccs-jenkins.gsslab.brq.redhat.com:8080/job/doc-Red_Hat_Gluster_Storage-3.4-Container_Native_Storage_with_OpenShift_Platform-branch-master/lastSuccessfulBuild/artifact/tmp/en-US/html-single/index.html#idm140179497694816

moving the bug on_qa

The document looks good, I have a minor change to suggest. I'll move the bug to verified once the change is made.

step 4 under Volume security for dynamically provisioned volumes,

# oc rsh busybox

# id

For example:

# id
uid=1000060000 gid=0(root) groups=0(root),2001

should be, 

# oc rsh busybox

$ id

For example:

$ id
uid=1000060000 gid=0(root) groups=0(root),2001

The changes are made as suggested:

http://ccs-jenkins.gsslab.brq.redhat.com:8080/job/doc-Red_Hat_Gluster_Storage-3.4-Container_Native_Storage_with_OpenShift_Platform-branch-master/lastSuccessfulBuild/artifact/tmp/en-US/html-single/index.html#idm140606131396304

doc content looks good to me, moving the bug to verified.